 Hello, this is Smai Meditash. I will present practical WIPAN testing using the most up-to-date version of Mr. Sip Pro. Mr. Sip is a SIP-based audit and attack tool. It's a software product that helps organizations to manage their communication infrastructure to perform WIP-specific security tests. The companies can also measure their risks. Please give a start in our Github. Please follow our Twitter account for updates. And please subscribe our YouTube channel if you need one of the subscribers to update the wear. Let's talk about our agenda here. I will have a very short introduction, then I will briefly talk about the timeline and the story of Mr. Sip. I would like to mention about some facts about voice-to-WIP security. I will then share some information about Pro version modules of Mr. Sip. I will explain the functionalities and interaction between the modules. We will also look at our roadmap. And after briefly showing some basics of voice-to-WIP and SIP, I will mention about today's voice-to-WIP security tricks. Then I will show the lab setup we will use during the demo. And the interesting part begins here. I will talk about three cool hacking stories which I will demonstrate using Mr. Sip Pro. The first story is actually based on a real incident. And we will show you how hackers made millions of dollars in large-scale code fraud. For each hacking story, I will give baseline information, lab setup, performances, steps to perform, and the demo itself and the short completion. In addition, I will talk about how we developed advanced novel attacks. These novel attacks appeared in academic literature using Mr. Sip. Finally, we will review how Mr. Sip fits to the overall voice-to-WIP methods methodology. And here I will mention about my profile. You can call me Mili. I am a security researcher from Istanbul, Turkey. I mostly do offensive security research about voice-to-WIP. I work as a principal fantasy in a private bank and I have a PhD in computer engineering. I am an entrepreneur. In my free time, I do back-hunting. If you want to reach me out, please find me on LinkedIn, Twitter, or GitHub. And here is my friend Kubilay. We gathered together since 2016. He is a PhD from Oxford University. He works at the Cyber Security Center there. And he is an alumni from ETH Buri. He is mainly working in trusted computing, hardware assistive security, and Intas SG's technology. You can reach him on LinkedIn for your questions or projects. Mr. Sip is a voice-to-WIP security product that started as a hobby project. Mr. Sip resulted several academic research papers and journal articles. It is the most comprehensive attack-oriented voice-to-WIP product ever. And you will see the reasons today. First time Mr. Sip appeared in a private company where I worked before. We have raised about 8 million Turkish liras, near to 2 million euros in research funds. First prototypes are funded and used by Turkish government. Between 2011 and 2015, Mr. Sip remained as closed source. One independent project sequence was begun in a similar timeline. In 2012, we planned to employ FATI. After some meetings and due to no NDA, he forked our project. It was our mistake that we did not have an NDA. In the rest of the years, all the tools remained closed source and I left the company. We gathered a new team in 2016. We dedicated to reprogram all the tools utilizing all of our past experiences. The open source period began. We published the first open source version in 2017. And Mr. Sip appeared in Blackhead USA, Europe and Asia-Arasimus. And also in the offshore Moscow. We currently have 10 modules and we plan to add 5 new modules. We will be gradually open sourcing more modules once they are mature. We aim to integrate in Kali Linux and Metasploit. And we look for collaboration from big voice-to-WIP vendors. And various reports show the current security risk in voice-to-WIP sector. According to CFCS 2019 report, the total loss of telecom fraud was $28.2 billion. And this corresponds to 1.74% of total telecom revenues. When we look at the most common weaknesses in the graphs on the left side, in the top three, we see that WIP users and PB systems are targeted most. In the graphic on the right, we see that biggest risk for communication systems are denial of service attacks and caller ID information fraud. Mr. Sip is evolving and actively being used by researchers and practitioners. The demand from the sector confirms that we should make Mr. Sip better. It was shared on various popular firms and new sources including Blackhead's homepage. Mr. Sip was cited in Cisco Publications. It was used in caller ID scripting test as part of Turkish standards instituted collaboration for national voice-to-WIP standards setting studies. It also has been used in various precision academic publications. Voice-to-WIP technologies have unavoidable security threats. Voice-to-WIP protocols are not designed securely. The products developed so far could not catch today's security requirements. Voice-to-WIP security cannot be addressed correctly in corporate information security policies because they have low awareness about voice-to-WIP security. You foresee that voice-to-WIP security will gain more importance in the near future. And Mr. Sip is here to solve all the problems. Mr. Sip contains time modules in three categories. Information gathering, vulnerability scanning, and offensive modules. There are two helpful components called IP-specific engine and message generator. Green modules are included in the open source version, the public version. In Pro version, we have added five more modules. We also extended the public modules with new features. Also, in our roadmap, there are five new attack modules. In addition, we will develop an easy-to-use win. I will not go through each module one by one, but you will see in the live demo how we combine them to deploy large-scale attacks. If we have time in Q&A, we can discuss and explain the modules further. We can also read the documentation in our GitHub. It also has many innovative and competitive features. For example, high-performance model trading, IP-specific smart-sip message generation, self-hiding and intervention skills. Mr. Sip has also a customizable scenario-development framework for stateful attacks. We have seen practitioners also use Mr. Sip as a client simulator and traffic generator. Thanks to risk providers and public institutions who are waiting for structure to use Mr. Sip. Service integrators and consulting firms are working in security field to use Mr. Sip. We welcome if you have any novel use case of Mr. Sip. Mr. Sip is a tool that should be in every PAN test and red teamers toolbox. It's also used to perform unit tests during the development of post-over IP and security products. It's also useful at quality checking stage before purchasing such voice-over IP products. Now, before we go into technical details of Mr. Sip, let's understand how SIP works. There are three approaches of how voice-over IP is deployed and configured within organizations. These are internal voice-over IP implementation, managed services and online SIP tracking. For this presentation, we will target internal voice-over IP implementations. SIP is a text-based protocol very similar to HTTP. You can see the request methods and response types here. If you need more information on SIP itself, please ask in Q&A. This is the very basic call flow for SIP. Normally, call flows can be more complex. This is between two users and the server in the middle. Although SIP is similar to HTTP, it's more complex than HTTP. RTP means the media. And this is a sample of an invite message. There are some specific headers and parameters which need to be rendered specific and unique for each call. SIP uses a similar mechanism to HTTP known as HTTP digest. The user password is symmetrical and pressure. In SIP 2.0, MD5 hashing algorithm is applied to the authentication data before they are sent to the server. This is a sample of SIP registered message. It shows the packet capture of SIP authentication request. This packet capture contains user-for-information to execute the authentication attack. We will demonstrate the voice-over IP security traits over tree-hacking scenarios. We will identify SIP servers and enumerate user extensions. We will talk about registration hijacking using SIP digest authentication creating. We will do manual attack and SIP stripping. Call ID SIP link, call evis-dropping, telephony, denial-of-service attacks are other security traits we are going to demonstrate. We will also able to know the vulnerabilities and exploits specific to SIP components. We have several live demos. In the long-distance code routing crowd demo, we will show how hackers deploy live-scale attacks to telecom companies' infrastructures. This is our voice-over IP security laboratory environment. We have three IPP devices on the network. We use three SPACs and three PPs of SIP servers. We have one attacker machine, which is Kali Linux, and Mr. SIP Pro is installed on it. There are some users registered on those DB systems. We use Zuiper, Jitsi, and Nymphon-Ssoft Clients. Mr. SIP is a console-based Python 3-Tool. In order to run Mr. SIP in your Kali, you need to install some Python libraries. Please see our GitHub for full instructions. Here we will see how Mr. SIP modules work together to deploy an attack. Green modules are core modules, blue ones are attack modules. External inputs such as dictionaries are in yellow, and gray ones are output of Mr. SIP modules. As you can see in the graphic above, SIP message generator feeds the network scanner, animator, vulnerability scanner, signaling manipulator, dose attack simulator, and attack scenario player. The output of network scanner is given as an input to the animator and vulnerability scanner. In the graphic below, Singapore, along with many of the middle attack modules, feeds EU's proper and cracker. The list of valid SIP users are the bold output of animator and EU's proper. Then all these outputs feed the redefined user agent and SIP extension dictionaries. Our first hacking story is registration hijacking for long distance call routing fraud. This attack is based on fraudulent traffic carrying. Hackers made millions dollars in this fraud business. I will expose the details right now. With this attack, we target an enterprise that can make voice over IP calls over the internet, which means that they have SIP trunk services. As a result of this attack, the voice over IP infrastructure will be abused and will hit expensive bills. The underlying causes of the attack are the weak or no password policies specific to voice over IP service. This situation is often expressed in enterprises. Another reason we can say is that voice over IP communication takes place over unencrypted channels using UDP. The attacker's motivation is to gain user access, execute voice over IP who sale carrier voice business through the stolen user accounts and repeat this for hundreds of enterprises resulting in million dollar benefits. Our attack scenarios are authentication attack and registration hijacking. The techniques we will use are man and the middle sniffing, digest authentication calculation and dictionary based password cracking. When we talk about our setup and attack steps, we have two assumptions. First, we were hired to make an internal voice over IP pentas. Second, the target SIP server can make voice over IP calls over the internet. And we know our target subnet. We will use network scanner, enumerator, sniffer and cracker modules of Mr. SIP Pro. We will use dictionary files as external input for user extensions and passwords. Our steps are first, we will discover active SIP servers on the network and identify what it uses on these servers. Then we will need man and the middle and sniffing skills to capture SIP digest authentication data. And we will perform the necessary calculation in order to get the hash we need to crack. And then crack the password real-time with our built-in modules. Our attacker machine is Kali Linux and Mr. SIP Pro is installed on it. For this demo, we will use two terminals. And the first thing we want to do is to start the SIP sniffer in terminal 2 using the IP address of our attack machine. We can see the SIP traffic activities performed there. We are launching our network scanner in terminal 1 and what SIPness does is sending SIP option messages to all IP addresses in the given subnet to identify SIP servers according to their response status and user agent headers. And since we scan a subnet, we want it to be completed quickly and we get a trading count 50 and the default one is 10. We could also give another message type instead of SIP options. Some servers may not respond to options. As a result, we detected two active SIP servers by scanning the entire network in 20 seconds and bored our asterisks based. This automatically writes SIPness output to the IP underscore list that TXT file for other modules to use. And we will run our SIP animator using the predefined user extension dictionary file named from that TXT to detect users on the target server. And what it does is sending subscribed messages to the servers by default. We can use different messages to such as register and it identifies what it uses according to their response status. And as output, it found what it uses through these servers and informed us if these users require an authentication or not. It detected eight users in 10 seconds in total. Three of them don't have passwords at all. We can get these users directly. Now our goal is to get the passwords of five others on the list. For this, we are running our password cracker, which performs SIP digest authentication breaking operation. We determined one server as targets. As input, we need a password dictionary named wordlist underscore test dot txt. What it does is listening to network using men in the middle and sniffing skills, capturing SIP register messages and obtaining authentication data. And using the data it obtains, breaking the SIP digest authentication real-time and retrieving the passwords. With a soft client called Zuiper, for demo purposes, I trigger register and unregistered activities for different users. And so our SIP crack module instantly involves and reuse the passwords. In summary, we found servers and users. We listened to the server, cracked the authentication and we took the users and committed throughout. As a final step, in case these users may force single registration, we can perform SIP registration original attack and drop their existing registrations and hijack them. By making this process periodic, we can repeat it over a wide network and increase the number of users we hijack. We can operate also IP who sale carrier voice or call shop or prepaid postpaid car business to make calls when the users we hijack are not using their accounts according to the country they are located in. Indeed, this is one of the most common hackers attack methods. For example, in the nighttime, when real users sleep, we can start selling long distance calls in their accounts. These types of attacks earned millions of dollars by doing business only through hijacked voice or IP accounts without running any telecom infrastructure. More than once, I was involved in the forensic examination of this type of attack in enterprises and I will not mention about the company names. Our second hacking story is caller ID speaking for a spear phishing campaign. Our target is an enterprise with voice or IP infrastructure. As a result of the attack, the attacker may gain access to the systems or they can leak sensitive data. Reasons underlying the attack, we can say that voice or IP communication takes place over unencrypted channels and the security awareness in the organization is low. The attacker's motivation may be to affect malicious software or steal sensitive data. Attacker may also steal credentials for remote access to the system. Our attack vectors, we can say caller ID speaking attack and social engineering in combination. We will use techniques such as man and the middle sniffing and sip signaling manipulation. When we talk about our attack setup and attack steps, our assumption one is still valid. And we already know the target server IP address. We will use enumerator and eavesdropper modules of Mr. Cip Pro. We will use user extension dictionary file as the external input. Our attack steps, we have already discovered the target server and wallet extensions. Then we will list in the active course with our man and the middle and sniffer equipped modules. And we will both enumerate and use the obtained information in order to perform caller ID speaking attack. Our attack setup is the same again. From the step in the previous attack, we target one of the Cip server. And let's run the enumerator and keep a record of which users are valid. And we have detected five active users and some users don't require authentication. However, keep in mind that with this attack method, we can guess what it uses. Now we will eavesdrop Cip course listening to the network with man and the middle and sniffer. And we will both learn about the Cip call flow on the server and we will make an alternative enumeration with the more real data. I made calls with two soft client applications for demo purposes and when it gets, it shows the call with ongoing attack. And when the call ends, it can calculate the call duration and we caught two calls for demo purposes. We know that 5000 and 1001 users are available to receive calls. Now, let's open a second terminal. And here, we can start our sniffer and observe our Cip traffic activities. And let's go back to terminal one and start the caller ID speaking attack. And what we want to do is make a call from 1000 to user 1001. And when we sent the custom in white package, we see that the call is taking place. In the same way, we have seen that we can make a call to the user 5000. By using this attack systematically, we can make calls as insiders and perform phishing activities. As another attack scenario, we can create a list of targets to users, perform automatic calls to everyone and play a prerecorded media content to everyone. It may be an advertisement content. We carried out this demo attack on the internal network. But if the target server could receive and make calls over the internet, we would also be able to call and automate this job on the number we want. Of course, if you could make voice over IP calls over the internet on the attacker side. The only thing not here is to check if the voice over IP provider on the attacker side allows us to use custom in white message. Some countries and states may have regulation related to this and service providers may have implemented partial forces to prevent this. Our short hacking stories abusing known fluid-based telephone and service vulnerability. Our target is again any enterprise with voice over IP infrastructure. As a result of the attack, we can overload the capacity of the SIP server and cause a service interaction. Being the known denial of service vulnerability of the target SIP server helps this attack to take place. The attacker's motivation may be to cut off the accessibility of the target server and all the component it serves. Hackers can manipulate company's attention and carry out other insidious attacks. Our attack vectors are version-based scan for known vulnerability and exploits and, of course, telephone and denial of service attacks. We will use fluid-based key-dose and IP spoofing techniques when performing the attack. Similarly, we assume that we are hired to plan test the company or any other similar ways to match this assumption. We have set the target server IP address. We use Mr. SIP Pro's vulnerability scanner and dose attack simulator modules. We don't need any external input. Our attack steps we already know the target server. We will scan for known vulnerability and exploits using the server version information and we will make the server inaccessible by performing fluid-based telephone and denial of service attack using the dose vulnerability we have obtained. Our attack setup is the same again. Here I will work at three terminals this time for demo purposes. Two are offensive-colour use of which Mr. SIP Pro is installed and one of them is the target 3D Spark SIP server. We have investigated known vulnerabilities and exploits for our target server. We discovered 22 known vulnerabilities and one exploit and some weaknesses and exploits are familiar to me. I want to check the details immediately. Yes, as I guess we know that there is a denial of service vulnerability against SIP in white fluid attack that I will perform between the users. I want to monitor the CPU and memory usage information of 3D Spark in one terminal and I want to run Sniffer in another to see our SIP traffic. In the last terminal I will send 1000 SIP in-white messages using random SIP source IP addresses for the target SIP server. I started the attack and we can see the progress on the screen. In-white messages are starting to go away because these messages go from SIP foot IP addresses and use UDP. Each response was retransmitted 7 times for 32 seconds to SIPs own retransmission mechanism. You can see that the output of top command is frozen at the terminal of 3D Spark SIP. In fact, this shows that the SIP server is no longer able to respond. I want to enter the written interface from the browser to verify. But I see that it's not accessible. Pingpackers are reaching what TTL seems to be strange and I'm sure now that we are overloaded the server. I can stop the attack and can show that web interface is accessible right now. Although the main problem here seems to be that the SIP server works in a vulnerable version, we know that most networks are vulnerable to telephonic network service attacks. Because the current security parameters cannot manage VoIP protocols well in the application layer and therefore cannot distinguish them from real traffic in the phase of methods such as retransmission and reflection in the UDP usage. On the other hand the approach of the attackers can attract attention and perform another insidious attack at the time. So far, we demonstrated 3 acting stories. Now we will further explain SIP features. Attack scenario player allows you to perform stateful SIP call scenarios. We have predefined 8 attack scenarios. It also allows you to develop new attack scenarios such as distributed reflected denial of service or retransmission based distributed denial of service. And these are the attack scenarios that are developed for our Reconnect studies. We named the first one incomplete invite transaction DDoS with non-responding destination attack and incomplete invite dialogue DDoS without attack. Both of them abuse SIP's retransmission mechanism. Since SIP often uses UDP in the retransmission layer, it has its own retransmission mechanism. In our academic research, we developed these 2 attack methods by using the weaknesses of the retransmission mechanism and brought them to the academic literature. This article was published in Asperius Computers and Security Journal. There is a prerequisite for the target in the first attack method. The target user should be registered to the SIP tool but they should not have access to the internet at that time. Or the registration should be removed in some way at that time. No problem, we can provide this condition using the registration original attack we have added to the SIP ASP scenarios or we can satisfy this precondition by performing denial of service attack to the target client. Then what we want to do is send an invite message and wait for the SIP server to send the same invite message 7 times for 32 seconds in total using the retransmission mechanism to transmit this message to the other party. When no response is received from the other party, the SIP server will send us a 408 request timeout message and wait for an eCH message from us. If we don't answer it will assume that it cannot deliver the package and we will retransmit it 7 times for 32 seconds in total. Thus, by sending only any invite message we occupy the source on the target server for 64 seconds. And we don't have a prerequisite in our attack in the second figure, the target users will be registered for the SIP server. Since we only leave the responses coming to us unanswered, we will potentially occupy the server and target client resources for a minimum of 32 seconds. There is another attack scenario that we have developed for our academic studies. We named it SIP Request Reflection Attack in short. Just like the ICMP Smurf attack, we also worked on attack methods that could reflect our attacks and we brought our study results to the literature through our academic papers. Here, we have been able to enable these attacks by combining the weaknesses of the SIP header's priority and IP SIP fin technique. This work was published in IEEE Access Journal. This is to visualize the waypan test steps that we can do using Mr. SIP Pro. Maybe we can call it as workflow instead of methodology. In the Microsoft version 1, we can call this one as version 2. This workflow shows what Mr. SIP Pro can do today and it will do more. Its scope will expand further with more advanced features. We take our friends for their contributions. We also thank our lead maintainer Hakke. He is a great programmer and he is available to hire for internships or foot and jumps. We would like to expand our capabilities. If you have any useful work list in a related field, please share with us. And here are our references. If anyone is interested to further read, we have more details here. Thanks everyone for listening and again, please give a star in our Github. Please follow us on Twitter and please subscribe our YouTube channel. So we will update you whereup. These are my contact information in the description below. Thank you very much.